We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xxx
2.13.2
官方文档中van-picker组件中的allow-html属性默认值为 true,会默认将选项里中的值作为html进行解析,对于不可信的数据存在xss注入的风险,除非手动进行数据处理,或者修改默认值,不然很难发现这个潜在风险。从安全角度考虑,建议默认值改为false更加合理。
No response
The text was updated successfully, but these errors were encountered:
Hi @liurui981112. Current version (2.x) has reached End of Life. We recommend using the latest 4.x version (LTS). This issue will be auto closed.
你好 @liurui981112,当前版本(2.x)已经终止支持且不再维护。我们建议使用最新的 4.x 版本。当前 issue 会被自动关闭。
Sorry, something went wrong.
No branches or pull requests
重现链接
xxx
Vant 版本
2.13.2
描述一下你遇到的问题。
官方文档中van-picker组件中的allow-html属性默认值为 true,会默认将选项里中的值作为html进行解析,对于不可信的数据存在xss注入的风险,除非手动进行数据处理,或者修改默认值,不然很难发现这个潜在风险。从安全角度考虑,建议默认值改为false更加合理。
重现步骤
设备/浏览器
No response
The text was updated successfully, but these errors were encountered: